CYBERCRIME AND CYBERCRIMINALS
"Cyberspace is not outer space." (Deborah Majoras)
Cybercrime has many definitions (Wall 2001), and in recent years it has become synonymous with computer crime. Technically, the definition of computer crime is any illegal act which involves knowledge of how to use a computer to offend. Most definitions of cybercrime, by contrast, point to some "special knowledge" of cyberspace or "expert" use of a computer to offend. Regardless of how special or expert some offenders are, it is customary today to just lump them all together as cybercriminals for ease of discussion. Most observers agree it is the wave of the future, and it's here to stay. With over one trillion dollars moved electronically every week, the Internet is where the money is. The rates of cybercrime are skyrocketing. The annual "take" by theft-oriented cybercriminals is estimated as high as $100 billion, and 97% of offenses go undetected (Bennett & Hess 2001). Then, there are those who just abuse the Internet and computer systems -- hackers or hooligans, whatever you want to call them -- but cybercriminals nonetheless. Their shenanigans cost an additional $104,000 per incident in damage, labor, and lost productivity (Brown et al. 2001). In addition, there's corporate espionage (pdf), which some experts say is the real problem, with annual losses of proprietary information in the $40-60 million range. Toss in organized crime, terrorism, piracy, fraud, embezzlement, extortion, predation, harassment, and a variety of other ways to offend or harm with computers, and it's anybody's guess what the real cost is.
Criminological theory is admittedly weak in this area. There are things that are criminally wrong, deliberately wrong, accidentally wrong, wrong for all the right reasons, wrong for all the wrong reasons, and just plain annoying. Legal systems everywhere are busy studying ways of passing new laws dealing with Internet misbehavior, so the arena has become a sort of "test-bed" or "mini-society" where all sorts of moral deconstruction and decoding goes on. This ethereal realm we call CYBERSPACE is intriguing but full of potential dangers. Barney (2000), for one, hopes that it will eventually be used to perfect democracy. Others see it as offering little more than an underground economy and tempting addictions. It is both a blessing and curse. Nobody has any good idea about how to regulate or police it.
The underground or "shadow" economy refers to a growing cyber-economy of criminals who are making money at online crime. The concept implies an evolution from hacking and virus writing for fun to creating malicious code for profit. For instance, when malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors, one has a black economy. In fact, currently there are plenty of Trojan creation sites out there where one can purchase kits and support for creating malware. It's something of a cottage industry. One can buy compromised computers, or botnets, for spam runs or to perpetrate denial of service attacks. One of the most successful of these was the massive Storm Botnet of 2007, which tricked millions of victims into opening emails about dead people from a storm in Europe, and where the perpetrators obtained control (and put up for sale) about 8% of the world's Internet accounts. There are places where one can pay others to infect your enemies with spyware and Trojans (dirty deeds for a small fee of $100). Additionally, there is the emerging industry of digital espionage services, the growing cyber-extortion field, and the stolen credit-card and bank account markets. During the year 2009, the FBI estimated that crooks stole $40 million from bank accounts simply using a program called Zeus (which can be bought and modified by anyone for $700) and another program called URLZone (which rewrites banking statements so that pilfered money does not appear missing). It's a wonder why anyone still bothers committing traditional crime when today, cybercrime is so much easier.
A Close-Up Look at the Zeus Trojan
|It's been called the most efficient virus ever made, light years ahead of its nearest competitor, the SpyEye trojan. According to the Wikipedia excerpt on Zeus, it was first detected in 2007 and law enforcement has been trying to keep up with it ever since. It is designed to one thing, and one thing only, and that is to break into bank accounts and steal people's money. It mutates to avoid security measures. Over the years, over 15 big banks have been compromised by it, most notably Bank of America. It spreads via Facebook and Verizon Wireless. It not only steals money from accounts, but it steals social security numbers and birthdates so that those can be sold on the underground market for identity theft purposes. At any given time, about 4 million computers in the world are infected with Zeus. It cannot be removed. Wannabe hackers can purchase it for around $700 on underground websites, and a whole world of criminal enterprise has developed around it.|
An infamous hack was the 2011 Sony Playstation theft of profiles and credit card information. Over 70 million user accounts were compromised in April of that year. Nobody has any idea who did it, and none of the world's big hacker groups, like Anonymous, claimed credit for it, suggesting it might be a "gamer" not a hacker. It is probably true that online gaming is, for whatever reason, often associated with malware. Cheat codes, for example, are commonplace gamer phenomena, but another thing is that online gaming is illustrative of the very real danger of "Internet Addiction" which can be said to play a part. It is also known as being an "onlineaholic," but it is, unfortunately, not an insurable diagnosis for insurance purposes. In a world of news feeds, instant messaging, email, and games, Blackberry devices might as well be called "Crackberry" devices because of their addictive potential. It is as destructive as any obsessive disorder, although the forensic or clinical outlines are not well known. Specialists estimate that 6-10% of Internet users develop some kind of dependency (e.g., Dr. Hilarie Cash, head of Seattle-based Internet/Computer Addiction Services; Dr. Kimberly S. Young, head of the Center for Online Addiction in Bradford, Pa.; & Dr. Maressa Hecht Orzack, the director of the Computer Addiction Study Center at McLean Hospital in Belmont, Mass., and an assistant professor at Harvard Medical School; but in contrast, Sara Kiesler, professor of computer science and human-computer interaction at Carnegie Mellon University calls it a "fad illness"). However, more evidence points to the fact that Internet addiction exacts a toll on health and family life, aggravates pre-existing disorders, can lead to further addictions such as gambling or pornography, and it can lead to cybercrime. The "hook" involves the ever-present hope of escape that the Internet offers to people who are longing for something. Whether or not cybercriminals are addicted or not is a question that has not been adequately addressed by academics. The addict-cybercriminal type has never been adequately explored. The lure of cyberspace can be quite strong in other ways too.
THE DEFINITION OF CYBER
First of all, anytime you use the prefix cyber-, you're talking about something somebody is doing online. In other words, there has to be action and some networking involved. Motion characterizes the behavior. Anything related to the Internet falls under the cyber category by definition. Besides being a prefix, it's also a verb, and not just a noun. Plugging in some 3D game and donning your goggles to go "cyber" doesn't count. There's a very specific set of action plans, motivations, and movements when you cyber. It's impossible to just be cyber. There's no steady state of being cyber. To cyber means that you are constantly seeking, saving, and exchanging information, lots of information, and you are constantly using technology to the max. It's like being a news junkie. It's an activity unique to the Information Age we know live in. By its very nature, it involves taking and giving away things without the usual restraints of a regulatory environment. It's the last frontier of complete and total freedom.
Cybercrime is substantially different from the use of computers for traditional activities where the purpose is to "stash" or "store" something. To simply accumulate a stash describes the activity of computer crime, which needs to be properly distinguished from cybercrime. Many criminologists don't grasp this distinction, and would argue that theft is theft regardless of the medium used. However, cyber theft is substantially different, just as cyberterrorism is substantially different from terrorism. It's like the difference between people who use computers like a typewriter and filing cabinet versus those who use computers for all they can be (and want more). The motivations, actions, and goals are different. Our criminal law simply hasn't got enough concepts to grasp the element of mens rea when it comes to cybercrime. There are different kinds of glee, elation, and glory involved in cyberspace that don't exist in the real world. Coverups occur by excess information, not thru less information. Further, concepts from the field of white-collar crime of little use, because you're dealing with something more revolutionary than just trying to make money -- you're dealing with cyberspace and technoculture, two concepts that are essential to any definition of cyber.
Cyberspace has a certain "hippie" connotation. The thinking goes like this: although humans created cyberspace, and are continually expanding it, the real inhabitants are data, information, ideas, and knowledge. This is what is meant by the Information or Knowledge Age. The real estate, or property, is intellectual and public. No one "owns" it, or operates it with any central authority. Politically, it makes governments obsolete. Economically, it can be replicated at zero cost, and unlike an industrial economy where you can only consume so many widgets, the average person in an information economy taps into all the world's knowledge and consumes information as fast as they can. Humans can only benefit from this new medium if they exercise their freedom.
Technoculture is best explained by reference to the CYBERPUNK movement that began in the mid-80s. Hackers, crackers, and phreaks made up the cyberpunk movement. Hackers could make magical things happen with computers, crackers would break into computer systems simply for the pleasure of it, and phreaks would do similar things with telephone systems. Other groups that joined the movement later were cypherpunks, who popularized cryptography to get over on "the System", and ravers, who used computer music, art, and designer drugs at massive all-night dance parties and love-fests in empty warehouses. Literature that glorifies cyberspace and the people on it is called cyberpunk literature, and it has its own slang. Technoculture is opposed to monoculture, the latter term being what hackers call the market dominance of Microsoft.
ARCHITECTURE AND GEOGRAPHY OF THE INTERNET
The Internet is a vast bioelectronic ecosystem that exists anywhere there are phones, coaxial cables, fiber optic lines, or electomagnetic waves (Dyson 1994). Nobody's really sure how big the Internet is (see CAIDA's map of Internet) for a map), but 135 countries have access, 54 world cities are the major hosts, and 72 million people logon every day. You should get the idea that cyberspace is pretty big, in fact, bigger than anything that's ever happened before in human history, and it's constantly growing, tripling in size every year. There are 13 main servers, numbered A thru M -- known as "root" servers -- which control all traffic on the Internet, and all but three of them are controlled by the US government, US companies, and/or located on US soil. Notice I didn't say "owned" by the government. Those 13 computers are in private hands, but they contain government-approved, master lists of the 260 or so Internet suffixes, such as ".com" and ".org." The master lists serve as the Internet’s master directories and tell Web browsers and e-mail programs how to direct traffic. Internet users around the world interact with them every day, likely without knowing it. If the U.S. government wanted to, it could render a policy decision that in one stroke could make all Web sites ending in a specific suffix essentially unreachable, or it could, if it wanted to, use two of the 13 root servers for cyberwar purposes, especially regarding the two that are still in US military hands. Donated money keeps the 13 root servers operating (list available at www.root-servers.org), but today, because of anycast (cloning) technology, the functions of those servers have been replicated to more than 100 non-legacy root servers around the world, providing some level of security through redundancy. This means there are NOT 13 root servers anymore. There are about 130 of them in various countries (see map of DNS root servers). Their location is not necessarily secret, but nondescript. No signs or markers point the way to them. They could look like any office building on the outside, but there is high security and Network Operations Centers (NOC) near them. Not having any security at all visible from the outside is called "security through obscurity" and it's the main form of security for root servers.
Example of a Root Server
|Verisign's NOC inherited the "A" root server via an acquisition, the "A" server being located near Dulles, VA, handling the .com and .net domains, two of the world's busiest domains, also owned by Verisign. Root server operators have no contract with anyone and no guarantee of level of service. They do it all out of the kindness of their heart. Root operators are a collection of academic, non-profit, scientific and governmental institutions concerned with keeping the Internet running, and their sense of duty keeps them monitoring for natural and man-made disasters which might affect Internet performance.|
The history is that in 1998, the Commerce Department selected a private organization with international board members (ICANN, at www.icann.org, for the Internet Corporation for Assigned Names and Numbers) to decide what goes on those lists. Related ("Who governs the Internet") groups of significant note include IANA, or the Internet Assigned Numbers Authority, and the RFC-Editor Webpage, both of which are important repositories of information, and challengers to ICANN such as the UN-related initiative, IGF (Internet Governance Forum, or those who are helping ICANN work toward privatehood such as NTIA, or the National Telecommunications and Information Administration. The US Commerce Dept., however, has kept veto power and stringent reporting control over anything ICANN decides or does, but Commerce indicated it would let go of control eventually, and maybe turn control over to an international organization such as something like the U.N. International Telecommunication Union, but in 2005, the U.S. reversed itself and said something like it would never cede control of the 13 main servers. The U.S. government does, however, endorse having foreign governments manage their own country-code suffixes, such as “.fr” for France.
In late 2006, it appeared that ICANN, or the Internet Corporation for Assigned Names and Numbers, would be getting more autonomy because the US government pledged to cede control of the net at some unspecified future point within the next three years. ICANN is the private, non-profit, guardian of the underlying architecture of the net, overseeing allocation of domain names and the addressing system that links domain names to the numbers computers understand. Observers have always said it is excessively controlled (i.e., bossed around) by the US government. For example, in early 2006, ICANN came up with the idea of establishing an .xxx domain to move all the world's pornography there, but the US government nixed the idea until 2012 when a few xxx domains went up for sale. With less US government control, ICANN hopes to one day achieve its goal of becoming a true "multi-stake holder organization."
|Countries with the Most Hosts:||Fastest Internet Growing Countries:|
8. Hong Kong
ICANN may control the architecture (growth) of the Internet, but it cannot control the geography of cybercrime. Most cybercriminals prefer to rely on stable servers and backbones only found in developed countries, like the USA, Canada, and the UK. Some 70 percent of malicious programs on the Internet are delivered from servers located in these three countries. These are countries which host what are called "command-and-control" (C&C) servers, which are the botnet owners' computers. There are an estimated 20,000 of them, and they control several million other "infected" computers which are called zombie computers or "drones." Depending upon how the botnet owner has configured the typology of their network, detection is more or less difficult, since such networks are often disguised as legitimate companies doing legitimate business. In fact, a common tactic is to disguise the botnet as an anti-virus service provider. Apart from physical servers, cybercriminals need domain names (in zones like .net, .com., .info and .org) to distribute malware. Free domain names are available in some countries, and cybercriminals are attracted to them because they need to constantly change the domain name they are doing business at because authorities and search engines will eventually block all redirected traffic to them. Here is a list of the countries where cybercriminals usually register their domain names:
Countries with Most Cybercriminalized Domain Names
3. Coco Islands
Arch-rival to ICANN is the U.N.-based ITU (International Telecommunication Union). ITU has been trying to insert itself into Internet governance for years. They would like to decentralize the assignment of website names and eliminate Internet anonymity. The latter wish is the favorite of totalitarian countries, like Russia, who would like to be able to identify each and every Internet user in real time. ICANN, the U.S. and the EU, stand against that. ITU also would like to create international "access fees" which would help generate revenue for the U.N.
THE CHALLENGES OF CYBERLAW
A computer hooked up to the Internet is a publishing company, telephone, television, library, megaphone, and more all rolled into one. This means that any administration of justice for suspected evil-doing with computers is covered by the First Amendment (freedom of speech) as much as the Fourth Amendment (freedom from search and seizure). The traditional approach in this legal area involves thinking in terms of certain protected zones or spheres of privacy. No one's really sure where Internet freedom is protected in the Constitution. Cyberspace isn't really a zone or sphere. Nobody really owns it, nobody considers it "home," reasonable people shouldn't expect privacy from it, but not too many people want the government or anybody else sniffing, snooping, or regulating every part of this special place. Those are the First Amendment issues. The Fourth Amendment issues, such as those contained in the Personal Privacy Act (PPA) and Title III of the Electronics Communications Privacy Act (ECPA), involve people, not places, but the distinction between wiretapping unread mail (which law enforcement can freely do) and wiretapping previously read mail (which requires consent via Acceptable Use Policies) is less than perfect. When computer forensics specialists seize and search a hard drive for all its contents, the only Fourth Amendment issues they're concerned about are privileged relationships, work product, documentary materials, and/or whether or not the data was intended for publication or dissemination. It seems like we are not only criminalizing a special place, but the person-based activity of having too much fun (with computers).
The other challenging legal question is when does Internet activity involve actus reus. In cyberspace, as in virtual reality, it's the impression that what one is experiencing is real. It doesn't require tactile sensation to be virtually raped in a chat room, but the consequences or trauma can be just as real. People can get married in cyberspace, obtain college degrees, and do other things that have real consequences. Plagiarism and copyright infringement is rampant on the web, and companies regularly install cookies and engage in data mining. A lot of Internet content is inappropriate for children. Just how many crimes are possible to commit in cyberspace is difficult to determine, and to prove some harmful action took place. Computer impressions, symbols, and persona do not make for anything more than conspiracy and inchoate offense charges. When AI (Artificial Intelligence) systems come online, it will prove difficult who had the thought first -- the person or the machine.
Then, there's the whole problem of jurisdiction. Where exactly does cyberspace begin and end? In general, a government's jurisdiction extends to those individuals who reside within its borders or to transactions or events which occur within those borders. The Internet, like space, doesn't have any borders. A few states have been daring, claiming that the flow of commerce, or financial stream, across their Internet nodes gives them jurisdiction. However, it's unlikely that any state authority would issue a warrant for an overseas offender who has less than minimal physical contact with U.S. soil. The minimal contact requirement usually governs transborder technology-related commerce (International Shoe Co. v. Washington 1945). International law enforcement compacts also require dual criminality, which means that investigative cooperation only exists if the offense has similar meaning in both nations. Sometimes, it's better to prosecute overseas, sometimes locally, sometimes federally, and this leads to a lot of disparities and inequities in the justice system.
What and when to seize are also baffling issues. Reactive response to hard drives have become a pattern in law enforcement because they conveniently record voyages in cyberspace. However, it might be easier, and more proactive, to monitor bulletin boards, websites, posts, emails, finger and Usenet. The computer's role should determine if the machine itself is to be seized or simply searched onsite. If the computer was used to commit a crime, the entire system should be seized. If the computer was used to store information about a crime, the hard drive, printer, and printout should be seized. Other situations might call for a quick copy of the hard drive and all floppies. The independent component doctrine requires that probable cause elements be present before any peripheral devices are seized. Getting ISPs to turn over their log files in a timely fashion, and getting upstream carriers to cooperate, are additional problems.
It must be remembered that this is an area, along with drugs, that helped develop the practice of no-knock warrants. Judges apparently felt that hackers could install time-delay devices or hot keys to permit quick disposal of evidence. A time-delay device destroys evidence if the keyboard is not accessed for awhile, and a hot key program erases data when a certain keystroke combination is depressed. Courts have also dealt with the time element for when a computer search warrant keeps from going stale, which is 3-6 months, the latter being the time when an unread message becomes a stored message, for legal purposes (Becker 2000).
Cyberspace law is a patchwork of loosely-articulated protections, liberally punctuated with loopholes and exceptions. Consider, for example, that there is privacy protection for bank records but not for medical records; protection for videotape rentals, but not magazine subscriptions; credit record protection, but not insurance records. New business practices and new technological developments often make good laws quickly obsolete. It's no wonder that cyberspace is the perfect breeding ground for crime because cyberlaw is such a mess. 48 states have some version of the Computer Fraud and Abuse Act (Title 18, Section 1030 of the Federal Criminal Code). This act was passed into law by Congress in 1986, and has been amended at least five times to touch up the language, including Patriot Act revisions. There's also the Economic Espionage Act (Title 18, Section Chapter 90). Most cybercrime is prosecuted at the federal level under either of these two acts. Let's take a look at these two laws.
|Computer Fraud and Misuse Act: "Whoever knowingly accesses a computer without permission...to obtain information...defined as harmful to national defense, foreign relations..., or injury to the United States, intentionally accesses the financial record of a financial institution, any computer of any department or agency of the U.S., any protected computer involved in interstate or foreign communication, any nonpublic computer that conducts affairs for the government...with intent to defraud, extort, or cause damage...shall be punished by fine and imprisonment for five to twenty years."|
|Economic Espionage Act of 1996: "Whoever intentionally or knowingly steals, copies, receives, or conspires to benefit any foreign instrumentality by converting any trade secret related to interstate or foreign commerce shall be subject to criminal and civil forfeiture of all property used or derived from the offense as well a fine from $500,000 to $5,000,000 and imprisonment from ten to fifteen years."|
State laws tend to be written as theft or fraud statutes, the evils being stealing and undermining confidence. You might want to review the common law elements of theft and fraud law if you're unfamiliar with these offenses. CardCops, a company that tracks and stings fraudulent (stolen) credit card use over the Internet, estimates online fraud at ten times the rate of real world fraud. EscrowFraud.com estimates that 99% of web sites a seller of something on the Internet tries to "steer" you toward is "fake." Virtual returns of merchandise are almost as costly as virtual purchases, and so-called carders regularly post sniffed credit card numbers in chat rooms and on web sites. In the long run, it's the perception of dangerousness that hurts e-commerce, but in the short run, it's the speed of offenders and the slowness of law enforcement that is of concern. The typical state-level cybercrime statute is long, often longer than federal code, and the wording is extremely general, but a short example might be as follows:
|Typical State Cybercrime Statute (circa 2000): "A person commits computer theft or fraud when they knowingly and without authorization access or cause to be accessed any computer or network for obtaining goods, services or information with the intent to permanently deprive the owner of possession or use."|
THE NATURE AND VARIETY OF CYBERCRIME
Not everything computer-related is cybercrime, and not everything computer-related is computer crime. A person using a stolen telephone code to make free calls, even though the number is processed by a computer, is engaging in toll fraud, not computer crime. A person who embezzles $200 from the ATM of a company they work for still commits embezzlement, not cybercrime. The use of computers as incidental to another offense is not cybercrime. There are plenty of laws on the books already to classify many types of cybercrime. One way to do this involves thinking along the lines of asset forfeiture, or whether computers make up the fruits or instrumentalities of crime. This is a classification of cybercrime with the computer as target and computer as tool.
Computer as Target: This kind of activity is the wrongful taking of information or the causing of damage to information. Targeting a computer just to obtain unauthorized access is the hallmark of hacking, and the most serious criminal offense here is theft of information, followed by maliciousness, mischief, and wayward adventuring. Bypassing a password protected website to avoid payment would be theft of services, and foreign intelligence break-ins would be espionage. These are all familiar types of crimes, but hacking is typically done in furtherance of a larger scheme since the hacker wants to exploit all computational and encryption capabilities of a hacked system in order to weave through related computer systems. The activity can range from large-scale disruption to elegant hacking. DNS rerouting and denial of service attacks are the most disruptive. Subtle changes to a web page are elegant. Hackers also generally collect password lists, credit card info, proprietary corporate info, and warez (pirated commercial software). A list of specific offenses in this category might include:
Arson (targeting a computer center for damage by fire)
Extortion (threatening to damage a computer to obtain money)
Burglary (break-ins to steal computer parts)
Conspiracy (people agreeing to commit an illegal act on computer)
Espionage/Sabotage (stealing secrets or destroying competitors records)
Forgery (issuing false documents or information via computer)
Larceny/Theft (theft of computer parts)
Malicious destruction of property (destroying computer hardware or software)
Murder (tampering with computerized life-sustaining equipment)
Receiving stolen property (accepting known stolen good or services via computer)
Computer as Tool: This kind of activity involves modification of a traditional crime by using the Internet in some way. The traditional analogue here is fraud. It can something as simple as the online illegal sale of prescription drugs or something as sophisticated as cyberstalking. Pedophiles also use the Internet to exchange child pornography, pose as a child, and lure victims into real life kidnappings. Laws governing fraud apply with equal force regardless if the activity is online or offline, but a few special regulations apply at the federal level:
Internet fraud (false advertising, credit card fraud, wire fraud, money laundering)
Online child pornography; child luring (sexual exploitation; transportation for sexual activity)
Internet sale of prescription drugs & controlled substances (smuggling; drug control laws)
Internet sale of firearms (firearms control laws)
Internet gambling (interstate wagering laws; lottery laws; illegal gambling businesses)
Internet sale of alcohol (liquor trafficking)
Online securities fraud (securities act violations)
Software piracy & Intellectual Property theft (copyright infringement; trade secrets)
Counterfeiting (use of computer to make duplicates or phonies)
Cyberbullying (posting rumors or someone's altered private messages/photos online)
INSIDERS AND OUTSIDERS
Another way of classifying cybercrime is to use a location-based approach that distinguishes between insiders and outsiders. This is the approach the FBI uses which is also based on an evaluation of societal costs and the capabilities of law enforcement. It is also the approach one is most likely to encounter in the published, scholarly literature (e.g. Nykodym, Taylor & Vilela 2005). Such efforts are merely categorizations and are merely descriptive, but the geographic profiling of hackers has been a law enforcement pastime for quite some time (Taylor 1991), as has criminal profiling in general (Nykodym et al. 2005). Opinions differ over the most effective form of the profiling process, but it's somewhat true that the rest of the country usually follows the lead of the FBI on such matters. If one were to visit the now-defunct National Infrastructure Protection Center (now an office in DHS with many parts of it split into InfraGard and I3P), one could have seen how the problems of joint efforts reflect a changing set of priorities and emphases, but one could also easily see how about half the tips relate to insiders (using e-mail safely within your organization) and half to outsiders (cyberprotests by foreign nationals). In late 2009, DHS opened the top-secret National Cybersecurity and Communications Integration Center (NCCIC), and it, along with other centers around the world, like NATO's Cyberresearch Facility in Estonia (formed a year after the three-week 2007 cyberwar), strive to be centers of excellence at cyber defense. Private corporations are also in the game, a good example being fast-growing SecureWorks, out of Atlanta.
Insider Threats: The disgruntled insider is the principle source of computer crime. As much as 75% of computer crimes are done by employees (note that this figure doesn't include virus or worm writing, which is primarily done by outsiders and is rarely counted as a computer crime). This makes cybercrime against business the number one type of cybercrime, and it's growing, with the estimated loss to business running about $500 million per year, in the form of crimes like theft of proprietary information, theft of customer databases, and theft of product databases. Their average age of an insider offender is 29, and they generally hold managerial or professional positions (USDOJ CCIPS data of 2003 puts the age profile like this -- 34% are between 20-29, 36% between 30-35, and 27% over 35). Older offenders generally do more damage. The FBI regards disgruntled employees as motivated by a perception of unfair treatment by management or snubs by co-workers. Another fraction of incidents are caused by blunders, errors, or omissions. The FBI regards the insiders here as incompetent, inquisitive, or unintentional. The difference appears to be in the intent to disrupt. Crimes involving the computer only incidentally are treated as traditional crimes -- theft, for example, if an employee tampers with the payroll system (called "data-diddling"). However, even the FBI is continually surprised, when under the plain view doctrine, they investigate an insider threat and find examples of child pornography, organized crime connections, and even recreational hacking. Employees often waste a lot of company time using their network access to surf, shop, or engage in other instances of lost productivity. It makes sense to profile the typical computer abuser. Every organization has them, and here are some of the signs:
missing computer supplies when the employee is around
missing software when the employee is around
numerous logon sessions, some attempts under different name
sloppy password management
unusual interest in computer system printout
mixes personal equipment with company equipment
Insider profiling (Nykodym et al. 2005) aims to help organizations understand the types of people that are likely to commit net abuse and/or cybercrime. Some common characteristics of such people include: not showing fear from having managers around; inclination to break the rules; and perhaps a keen sports fan (in the case of net abuse by online gambling at work). Such persons are usually fairly secretive, hard to communicate with, and quiet at work. Workplace cybercrime committed by managers at work tends to adhere to the same profile, yet the amount of money "take" at work is higher. Mid-or low-level employees, who commit the majority of cybercrimes at work, tend to have more restricted access and subsequently a lower "take." However, alliances between a manager and employee at work can be a difficult case to investigate (detect and stop) because they are working on different levels of a hierarchy and have more ways to hide the crime.
Insider cybercrime is generally divided into four (4) main categories (Nykodym et al. 2005): (1) espionage; (2) theft; (3) sabotage; and (4) personal abuse of the organizational network. The espionage-oriented offender is similar to the outsider cybercriminal (discussed below), and generally is after confidential or sensitive information, and usually is part of the management team, sometimes the higher management (very senior) team. Depending upon the race structure of the organization, the cybercriminal would be white or black, but they are usually secretive individuals who do not want to look different, and always try to blend in among others. Theft-oriented cybercriminals are motivated by their own gain (despite what they might say about hate or revenge) with their only goal the selling or using of valuable information for money. Such criminals are usually very comfortable with their position in the organization, and they tend to be young (either male or female) and still, relatively low in the organization's hierarchy. The sabotage-oriented cybercriminal is like the espionage-oriented type (in being influenced by a competitor), but sabateurs are not necessarily employed by the organization, but consist usually of subcontractors, part-timers, and the like, who also usually have one things in common -- they have personal motives, like revenge for some mistreatment they perceive, like a layoff or missed promotional opportunity. Age, race, and sex variation is quite diverse with this type.
Outsider Threats: Hackers are the most common group in this category. Their typical age is between 14 and 19, and they are generally part of the cyberpunk subculture. Hacking for illicit financial gain has been increasing, and less-skilled "script kiddies" (using point-and-click software instead of programming) are increasing in number. Distributed Denial of Service Attacks are also increasing, which plant a tool such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht (German for barbed wire) on a number of unwitting victim systems. Then when the hacker sends the command, the victim systems in turn begin sending messages against the real target system. 2001 was also the Year of the Virus, and several large-scale hacks were accompanied by viruses released in the wild, which led authorities to suspect that hackers and virus writers were uniting. The FBI uses the following typology to classify outsider threats:
industrial espionage - theft of proprietary information or trade secrets
terrorism - attempts to influence or disrupt U.S. policy
national intelligence - attempts by foreign governments to steal economic, political, or military secrets
infowarfare - cyber attacks by anyone on the nation's infrastructure to disrupt economic or military operations
Industrial espionage is a very high-stakes game which the U.S. plays along with everyone else. There is a 1996 Anti-Economic Espionage law that defines "trade secret" quite broadly, but arrests usually involve sting operations conducted against foreign nationals attempting to bribe somebody. It's the perfect example of an exception to the insider-outsider typology because sometimes, the crime originates with an employee who is in a position to sell trade secrets, and other times, the employee is tempted by an outsider.
Terrorists are known to use information technology to formulate plans, raise funds, spread propaganda, and to communicate securely. For example, Ramzi Yousef, mastermind of the first World Trade Center attack, stored detailed plans to destroy United States airliners on encrypted files in his laptop computer. Osami bin Laden was known to use steganography for his network's communications. A website that was known as the Muslim Hacker's Club listed tips for things such as hacking the Pentagon. A hacker known as DoctorNuker has been defacing websites for the last five years with anti-American, anti-Israeli, and pro-Bin Laden propaganda. Other than by using computers to communicate and coordinate, few examples exist of cyberterrorism, or politically motivated attacks on computer systems. In fact, it is advantageous to a terrorist group to keep the Internet working, as a means of communication and outlet for propaganda. The main tools of terrorism remain guns and bombs, not computers. There are a few instances of cyberterrorism, however, such as the 1998 attack on Sri Lankan servers by the Internet Black Tigers, or the Mexican Zapatista movement of the same year, which eventually teamed up with protesters of the World Trade Organization. We have yet to see a significant instance of "cyber terrorism" with respect to widespread disruption of critical infrastructures. However, the FBI and many others, are concerned about the growth of something called hactivism, which is a word that combines hacking and activism. These are politically motivated attacks, but they may also be a form of electronic civil disobedience. Such attacks are usually elegant. For example, the Zapatistas target the URLs of companies they think don't support human rights. The attack is nothing more than adding the phrase "/human_rights" to the end of the URL. The page returns a display that says "human rights not found on this server", which is also found in the server logs. They don't actually flood the server, just enough times to make sure it's noticed in the server logs.
Foreign intelligence services have adapted to using cyber tools as part of their information gathering and espionage tradecraft. In a case dubbed "the Cuckoo's Egg," between 1986 and 1989 a ring of West German hackers penetrated numerous military, scientific, and industry computers in the United States, Western Europe, and Japan, stealing passwords, programs, and other information which they sold to the Soviet KGB. Significantly, this was over a decade ago -- ancient history in Internet years.
Infowarfare usually involves foreign military forces against another foreign military force. We know that several nations are already developing information warfare doctrine, programs, and capabilities for use against each other and the United States. China and Taiwan have been at infowar for years. Foreign nations develop such programs because they feel they cannot defeat the United States in a head-to-head military encounter and believe that information technology is our Achilles Heel.
Cyberextortion is an outsider threat designed to obtain money, products, or favorable considerations from an organization or an organization's individual employees using illegal means of persuasion related to a computer intrusion or threatened computer intrusion that would make it impossible or difficult for that organization to do business. The method of attack is most typically a Denial of Service (DoS) although theft of data or public ridicule (web defacement) are also common. The crime takes advantage of the tendency for most businesses to NOT want their infrastructure vulnerability made public. The target is typically a company that is involved heavily in e-commerce, and there is some tendency for targets to be companies that outsource their help desk function to places like India and Pakistan. Not much is known about cyberextortionists, but a research study at Carnegie Mellon promises to shed some light on the subject.
This crime is a good example of a transnational crime. While it can occur within the boundaries of a single nation (Japanese businesses, for example, tend to be cyberextorted by Japanese criminals), it is more commonly found in the form of Russian or Eastern European hackers, hired or coerced by some organized crime group into finding American and European companies to break into. Banking organizations are a particular target. The Bank victim is threatened with having all or most of their customer's PIN numbers placed on the Internet somewhere, and a suprising number of victims "pay up" rather than report the problem to law enforcement. Cyberextortion, in its organized crime variety, also represents an interesting division of labor among criminals since the hackers do specialized, technical work and their "handlers" do specialized, nontechnical work.
A TYPOLOGY OF HACKERS
At the heart of cybercrime are the hackers. These people are the ones with the skills to commit the crimes, and an interesting way to look at them is to focus upon the lifestyles and personalities of hackers. Take it for what it's worth. None of these personality characteristics have been validated by any empirical tests. The first typology comes from Maxfield (1985):
Pioneers -- those who are fascinated by evolving technology and explore it without knowing exactly what they are going to find
Scamps -- hackers with a sense of fun who intend no overt harm
Explorers -- hackers motivated by a delight in breaking into computer systems. The more geographically distant, or more secure the target it, the greater the delight
Game players -- those who enjoy defeating software or system protection, with hacking seen as a sort of game itself
Vandals -- those who cause damage for no apparent gain
Addicts -- nerds who are literally addicted to hacking and computer technology
A second typology (Coutourie 1989) describes the relationship of a hacker to their computer:
Playpen -- in which the computer is seen as a toy
Fairyland -- where cyberspace is an unreal world where wrong cannot be done
Land of opportunity -- where there's nothing wrong with exploiting a vulnerable system
Tool box -- in which the computer is just a way to get other things done
Cookie jar -- with the computer as a place to go borrow things now and again
War game -- where hostile feelings are vented against machines rather than people
There have been no attempts (that I know of) to apply
these typologies to real-life case studies, although allow me to give you some
cases, and let you see if you can apply anything yourselves:
Case Studies of Hackers
|"Captain Crunch"||In 1972, "Capt. Crunch" aka John Draper, realized that by blowing the whistle that came in Capt. Crunch cereal boxes, he could replicate the tones necessary to place free long-distance phone calls. He spent some time on probation and in prison, then went to work for Apple Computer.|
|Kevin Mitnick||In 1994, Mitnick was the world's most wanted hacker for breaking into Digital Equipment's computers and stealing source codes. He served some years in prison, then became a book author.|
|Kevin Poulsen||In 1995, Poulsen, a friend of Mitnick's, broke into FBI computers. He spent some years in prison, and is now a computer security journalist.|
|"Mafiaboy"||In 2000, this Canadian boy launched denial-of-service attacks on CNN, Yahoo, and other major websites. He ended up under house arrest and was restricted from using the Internet.|
|Onel DeGuzman||In 2000, this Filipino computer science student unleashed the "ILOVEYOU" virus on the Net. He went unpunished because the Philippines had no law covering the crime.|
Center for Strategic & International Studies (CSIS)
Cyberbullying Research, News, and Events
Cybercrime, Justice, Law and Society
Cyberpunk Top 100 Sites
Cyberspace and the American Dream
Cyberterrorism: How Real is the Threat?
DHS National Infrastructure Protection Center
Federal Guidelines for Searching & Seizing Computers (1994)
Federal Guidelines for Searching & Seizing Computers (2001)
InfoSec and InfoWar Portal
Institute for Advanced Study of Information Warfare
MSNBC's Hacker Diaries
National Cybercrime Training Partnership
National Strategy to Secure Cyberspace
Navy Postgraduate School White Paper on Cyberterror (pdf
Prof. Rob Kling's Social Informatics web page
Reality Bites: Cyberterrorism and Terrorist Use of the Internet
SocioSite: Power, Conflict, War, CyberWar, Cyberterrorism
The Zapatista Social Netwar in Mexico
U.S. Dept. of Justice Cybercrime Section
What is CyberTerrorism?
White House National Strategy to Secure Cyberspace
Arquilla, J. & D. Ronfeldt. (2001). Networks and netwars. Santa Monica: RAND.
Ballard, J., Hornik, J, & McKenzie, D. (2002). Technological facilitation of terrorism. American Behavioral Scientist 45(6):989-1016.
Barney, D. (2000). Prometheus wired. Chicago: Univ. of Chicago Press.
Becker, R. (2000). Criminal investigation. Gaithersburg, MA: Aspen.
Bennett, W. & K. Hess. (2001). Criminal investigation. Belmont, CA: Wadsworth.
Biegel. S. (2003). Beyond our control: The limits of law in cyberspace. Cambridge, MA: MIT Press.
Brown, S., F. Esbensen & G. Geis. (2001). Criminology. Cincinnati: Anderson.
Clifford, R. (2011). Cybercrime, 3e. Durham: Carolina Academic Press.
Collin, B. (1996). "The future of cyberterrorism," paper presented at the 11th Annual International Symposium on Criminal Justice Issues, University of Illinois at Chicago, at http://afgen.com/terrorism1.html.
Coutourie, L. (1989). "The computer criminal" FBI Law Enforcement Journal 58: 18-22.
Denning, Dorothy. (2000). "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Policy." Georgetown Univ. Workshop paper.
Denning, D. (2000). "Cyber terrorism: Testimony before the Special Oversight Panel on Terrorism," U.S. House of Representatives, Committee on Armed Services (23 May), at http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html.
Denning, D. (2000). "Cyberterrorism," Global Dialogue (Autumn), at http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc.
Denning, D. (2001). "Is cyber terror next?" New York: U.S. Social Science Research Council, at http://www.ssrc.org/sept11/essays/denning.htm.
Deutch, J. (1996). "Statement before the U.S. Senate Governmental Affairs Committee, Permanent Subcommittee on Investigations" (25 June), at http://www.nswc.navy.mil/ISSEC/Docs/Ref/InTheNews/fullciatext.html.
Dyson, Esther et al. (1994). Cyberspace and the American dream. EFF [article website]
Embar-Seddon, A. (2002). Cyberterrorism: Are we under seige? American Behavioral Scientist 45(6):1033-43.
Garfinkel, S. (2004). "The FBI's cybercrime crackdown," Pp. 21-25 in J. Victor & J. Naughton (eds.) Annual Editions: Criminal Justice 04/05. Dubuque, IA: Dushkin.
Holt, T. (2010). Crime On-Line. Durham: Carolina Academic Press.
Johnson, T. (Ed.) (2005). Forensic computer crime investigation. Boca Raton, FL: CRC Press.
Kalathil, S. & Boas, T. (2003). Open networks, closed regimes. Washington DC: Brookings.
Kopelev, S. (2000). "Cracking computer codes" Law Enforcement Technology 27(1): 60-67.
Lessig, L. (1999). Code and other laws of cyberspace. NY: Basic Books. [author's website]
Lipschultz, J. (1999). Free expression in the age of the Internet. Boulder, CO: Perseus Books.
Loader, B. & D. Thomas. (2000). Cybercrime, law enforcement, security and surveillance. London: Routledge.
Maxfield, J. (1985). "Computer bulletin boards and the hacker problem" the Electric Data Processing Audit, Control and Security Newsletter. Arlington: Automation Training Center, October.
Mena, J. (2004). Homeland security techniques and technologies. Hingham, MA: Charles River Media.
Meyer, J. & C. Short. (1998). "Investigating computer crime" Police Chief 65(5): 28-35.
Moore, R. (2005). Cybercrime. Cincinnati: LexisNexis Anderson.
Nykodym, N., Taylor, R. & Vilela, J. (2005). "Criminal profiling and insider cyber crime." Digital Investigation 2(4): 261-267.
Parker, T., Sachs, M., Shaw, E., Stroz, E. & Devost, M. (2004). Cyber adversary characterization. NY: Syngress.
Piper, T. (2002) "An uneven playing field: The advantages of the cybercriminals vs. law enforcement." SANS Reading Room, http://www.sans.org/rr/legal/uneven.php.
Pollitt, M. (n.d.) "Cyberterrorism: Fact or fancy?" http://www.cs.georgetown.edu/~denning/infosec/pollitt.html.
Power, R. (2000). Tangled web: Tales of digital crime from the shadows of cyberSpace. Indianapolis: Que.
Riem, A. (2001). "Cybercrimes of the 21st century." Computer Fraud & Security 4: 12-15.
Rose, L. (1995). Net law: Your rights in an online world. NY: McGraw Hill.
Schmalleger, F., & Pittaro, M. (2009). Crimes of the Internet. Upper Saddle River, NJ: Pearson Education.
Speer, D. (2000). "Redefining borders: The challenges of cybercrime." Crime, Law & Social Change 34:259-73.
Sullivan, S. (1999). "Policing the Internet" FBI Law Enforcement Bulletin 68(6): 18-21.
Taylor, R. (1991). "Computer crime" in C. Swanson, N. Chamelin & L. Teritto, Criminal Investigation. NY: Random House.
Wall, David. (Ed.) (2001). Crime and the Internet. NY: Routledge.
Weimann, G. (2004). How modern terrorism uses the Internet, from http://www.usip.org/pubs/specialreports/sr116.html.
Weimann, G. (2006). Terror on the Internet. Dulles, VA: Potomac Books.
Unknown author (n.d.) What are Al Qaeda’s cyberterrorism capabilities? (n.d.), from http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/alqaeda.html.
Whine, M. (1999). Cyberspace: A new medium for communication, command, and control by extremists" Studies in Conflict and Terrorism 22:231-245.
Last updated: Dec. 09, 2012
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (2012). "Cybercrime and Cyberlaw," MegaLinks in Criminal Justice. Retrieved from http://www.drtomoconnor.com/3100/3100lect03.htm.